SUMMARY

• Experienced in vulnerability assessment of internet facing assets and internal assets using tools like Burp Suite, IBM Appscan, Nessus, Live HTTP headers Metasploit, Wire shark, SQL map, OWASP ZAP Proxy, Acunetix, Nmap, checkmarx and HP Fortify
• 7+ years of professional IT Experience as Security Engineer in various domains like Penetration testing, Web Application security testing, Vulnerability Assessment, and generating reports using tools
• Excellent knowledge in OWASP Top 10, SIEM and THREAT CLASSIFICATION methodologies
• Updated risk assessments business to reflect regulatory and business changes, as well as the impact of audit, compliance testing, and regulatory exam results on risk assessments
• Experience in SQL Injection protection, XSS protection, script injection and major hacking protection techniques
• Good Knowledge on Network Protocols such as TCP/IP, SNMP, SMTP, NTP, DNS, LDAP, etc.,
• Installing and configuring servers, in accordance with standards and operational requirements including hardening of Operating Systems
• Proficient in configuring operating system (Kali Linux, Windows, Backtrack) utilities and programming
• Good Knowledge on Web services using REST, JSON, XML, SOAP
• Experience in testing security and malware application.
• Managed the cycle of project continuity, reviewed the technical work of team, and ensured the quality - of-service deliverables
• Worked on windows server administration activities
• Excellent programming skills on JavaScript, Python, XML and AJAX
• Experience in documenting the testing process using MS-Office tools including MS-Word, MS-Excel, and MS-Project
• Risk assessment on the application by identifying the issues and prioritizing the issues based on risk level
• Experience with both Black and White Box testing in a Web environment
• Good knowledge on Information Security teams to tune SAST/DAST tools and process
• Experience in all phases of Software Development Life Cycle (SDLC) and SaaS.
• Monitor SIEM and SOC feeds to identify possible enterprise threats. Investigate threats to determine nature of incident Providing remediation to the developers based on the issues identified
• Experienced in implementing Firewalls and updating IDS/IPS signatures
• Experience with Internet/Intranet Networking Protocols and Services
• Managed inventory of network hardware and Monitoring by syslog, SNMP, NTP.
• Worked on different LAN & WAN technologies and expertise in implementing L2 technologies including VLAN’s, VTP, STP, RSTP, and Trunking and Port Security
• Excellent team player, enthusiastic initiator, and ability to learn the fundamental concepts effectively and efficiently
• Good knowledge on NIST, SOX, PCI DSS and HIPAA
• Excellent communication, analytical, troubleshooting, customer service and problem-solving skills; excels in mission-critical environments requiring advanced decision-making

TECHNICAL SKILLS

Security Tools: Metasploit Pro, ZED attack pro SQLMAP, Wireshark, Web Scarab, Nmap, Nessus, Rapid7 Nexpose, ArcSight SIEM,Qualys, OWASP ZAP Proxy, HP Fortify, SQL Map

DAST & SAST tools: IBM AppScan Enterprise (ASE), Standard & Source editions, HP Web Inspect, Burp Suite Pro, Acunetix, SQLMAP, Checkmarx

Languages: Java, JavaScript, Python, C/C++, C#.NET, Perl, UML, XML, AJAX

Operating Systems: Oracle Solaris UNIX, RedHat LINUX 4/5, Windows Server2003/2008, Kali Linux

Web Servers: Apache Tomsalecat

Application Servers: WebLogic Server, Microsoft IIS

Middleware: IBM WebSphere

Databases: Oracle, MS SQL Server, Postgres SQL

Web Services: REST/SOAP

PROFESSIONAL EXPERIENCE

Confidential, St Louis, MO

Senior Information Security Engineer/Pen Tester

Responsibilities:

• Identifying the critical, High, Medium, Low vulnerabilities in the applications based on OWASP Top 10 and SANS 25 and prioritizing them based on the criticality
• Hands on experience in web application Pen testing
• Providing PKI support to users as Registration Authority (RA) and Sole ownership of all PKI related activities
• Working with Aws tool for ticket raising and CI/CD pipeline
• Found common web site security issues (CSRF, XSS, applications logic, SQL injection, information leakage, session fixation etc.) across various platforms
• Port scanning servers using NMAP and Nessus
• Conducted Vulnerability Assessment on various applications
• Acquainted with various approaches to Grey & Black box security testing
• Proficient in understanding application-level vulnerabilities like XSS, SQL Injection, CSRF, Authentication bypass, Weak Cryptography, Authentication flaws
• Conducting Web Application Vulnerability Assessment & Threat Modelling, Gap Analysis, secure code review on the applications with respected to guidelines provided by Cisco.
• Skilled using Burp Suite, Acunetix Automatic Scanner, IBM App Scan, N-map, ZAP, Metasploit for web application penetration tests
• Conducted penetration testing on the company’s cloud infrastructure, identifying vulnerabilities in its security systems.
• Used my knowledge of AWS and Azure to assist engineering in planning future development.
• Generated and presented reports on Security vulnerabilities to both internal and external customers.
• Experience with cloud infrastructure (IaaS, PaaS) design, implementation or maintenance, including experience with well-known platforms.
• Security assessment of online applications to identify the vulnerabilities in difference categories like Input and data Validation, Authentication, Authorization, Auditing & logging
• Assisting customer in understanding risk and threat level associated with vulnerability so that customer may or may not accept risk with respect to business criticality
• Update with the new hackings and latest vulnerabilities to ensure no such loopholes are present in the existing System.

Environment: Vulnerability Assessment, Application-level vulnerabilities, PKI Enabled Applications, Burp Suite, IBM App Scan, Acunetix Automatic Scanner, N-map, Dir Buster, SQL Map

Confidential, Phoenix, AZ

Information Security Engineer/Pen Tester

Responsibilities:

• Conducting application and infrastructure penetration tests, Security Consulting as well as physical security review and Social Engineering tests for our clients.
• Perform Penetration Testing in accordance with OWASP standards and SANS 25 using manual techniques and Automated Tools.
• Experience in Android applications using Drozer security frameworks and some tools.
• Application testing Using Burp Suite Pro and Live HTTP Headers for Web and Mobile applications to identify the vulnerabilities and to validate the Server-side validations.
• Using NMap, OpenVAS, Security Center and NESSUS for Network and Port Scanning for closure of unnecessary ports.
• Using DirBuster to brute-force directories and Fierce to scan and brute-force domains (DNS).
• Identified security issues on DOM (Document Object Model) based environments.
• Using Metasploit to exploit Proof of Concepts and SQL Map to dump the database data to the local folder.
• Experience in postman API testing to Runs requests, test and debug, create automated and mock, documents and monitor an API
• Good knowledge on red team penetration testing
• Responsible for security testing of web flows using IBM AppScan tool
• Skilled using Burp Suite, Acunetix Automatic Scanner, NMAP, Dirbuster, Qualysguard, Nessus, SQL Map for web application penetration tests and infrastructure testing
• Conduct network Vulnerability Assessments using tools to evaluate attack vectors, Identify System Vulnerabilities and develop remediation plans and Security Procedures
• Continually improve the secure SAST/DAST process and environment
• Conduct proactive monitoring, investigation, and mitigation of security incidents
• Analyze security event data from the network (IDS, SIEM) and experience in Arcsight SIEM and encase
• Solid working knowledge of networking technology and the OSI Model, including TCP/IP protocols and standards
• Review security logs and violation reports for root cause analysis
• Performing onsite & remote security consulting including penetration testing, application testing, web application security assessment, onsite internet security assessment, social engineering, wireless assessment, security devices including firewalls, IDS/IPS, O365 hardware deployment
• Perform live packet data capture with Wire shark to examine security flaws
• Utilize various Firefox add-ons like Flag fox, Live HTTP Header, Tamper data to perform the pen test
• Revalidate the issues to ensure the closure of the vulnerabilities
• Performed penetration examinations for ascertaining the technical weaknesses existing the web application systems
• Perform compliance scanning to analyze configurations, facilitate implementation of configurations and hardening settings for web applications running or hosted on the networks, operating systems, applications, and other information system components
• Well versed in understanding application-level vulnerabilities like SQL Injection, XSS, CSRF, authentication bypass, authentication flaws, cryptographic attacks etc
• Strong experience on assessing and mitigating OWASP top 10 criticalrisks.
• Port scanned servers using NMAP and closed all unnecessary ports to reduce the attack surface
• Identified, documented and communicated vulnerabilities to appropriate members of management team prioritizing remediation requirements and increasing focus on secure coding processes and configurations
• Performs tailored web-application penetration tests using advanced manual techniques
• Calculates vulnerability risk using NIST CVSS and existing mitigating control considerations
• Security testing of APIs using SOAP UI
• Performed on Red team and blue team operations
• Good knowledge of network and security technologies such as Firewalls, TCP/IP, LAN/WAN, IDS/IPS, Routing and Switching
• In this role, I implemented and maintained security controls< NIST >
• Strong understanding on DNS hijacking, DNS spoofing, content spoofing and wireless security with hands-onExperience using Kismet
• Conducted Web Application Vulnerability Assessment & Threat Modeling, Gap Analysis, secure code reviews on the applications
• Performed both defensive and adversarial perspective type of threat modelling of the applications for detection of various potential threats

Confidential

Security Engineer/Analyst

Responsibilities:

• Performed vulnerability assessments, threat assessment, and mitigation and reporting activities to safeguard information assets and ensure protection has been put in place on the systems.
• Secured Code Review of the applications using open-source utilities identifying flaws in the coding practice and encouraging secured coding among the developer community.
• Drafted JavaScript with respect to the vulnerabilities like XSS, CSRF etc.
• Identified issues on sessions management, Input validations, output encoding, Logging, Exceptions, Cookie attributes, encryption, Privilege escalations
• Generated and presented reports on Security vulnerabilities to both internal and external customers using vulnerability tools.
• Preparation of risk registry for the various projects and coordination with the development team in Implementation of Security Needs: Audits, planning, design, implementation,testing, and management.
• Provided security implementation for authorization, by controls like principle of least privilege.
• Performing manual/automated application securitytestingon the major changes carried out in the application.
• Helped to research open-source intelligence feeds for current and emerging threat information
• Creation of secure virtualized lab for exploit creation, malware distribution analysis and security product testing
• Collaborated with fellow analysts to develop and streamline operational guidelines and perform analytical support of security incident calls across the enterprise.